Bring-Your-Own-Keys: Bringing Trust into SaaS

Below is a guest post by Karthik Bhat, founder and CEO of SecureDB, a MACH37 portfolio company.  SecureDB’s Encryption as a Service product makes implementing encryption into applications fast, easy, and inexpensive for businesses of all sizes – from startups to Fortune 500.  Learn more about SecureDB at

– Ledger West, Associate Partner, MACH37

Over the last few years, a wide variety of internal functions of business – HR, Payroll, CRM, e-signature, Benefits Management, Health Insurance, Project Management etc. have moved to respective SaaS companies. With more and more enterprises handing over their sensitive data to SaaS providers, there is a tremendous need to protect this data in the cloud using encryption. Any responsible cloud provider should be encrypting this sensitive customer data along with all proper key management practices.

However, the biggest challenge of cloud-encryption is: who owns the keys? Quite a number of companies will be okay with their SaaS provider owning and managing the encryption keys. Many will not.

The need of the hour is for the cloud platforms and SaaS companies to allow their customers to bring their own encryption keys – Bring Your Own Keys (BYOK). This way, customers can rely on SaaS companies without any apprehensions about data-leaks. BYOK will ensure that a SaaS company’s access to customers business data is always controlled. Thus, cloud providers and SaaS companies can continue focusing on the core value that they provide to the enterprises, without sweating much about security of sensitive customer data.

Why BYOK is Important?

The beauty of the BYOK is that enterprises have full control over the life cycle of the keys (generation, usage, backup, rotation etc.). The enterprise can also assign specific permissions on the encryption keys that limits what the cloud provider could do with the keys (for example, give only ‘encrypt’ and ‘decrypt’ permissions and not ‘key-rotate’, ‘key-delete’ permissions). The enterprise can also view the key usage logs to ensure the keys are used in accordance with the agreement.

When the enterprise wants to cease using the SaaS provider, they could download their data and simply revoke the access to the key. The SaaS provider no longer will be able to view or process the data. No more worries about whether the SaaS provider has done the right and responsible thing and deleted your data.

Bring Trust into SaaS
At SecureDB, we anticipate this to be the next logical step to acceleration of SaaS adoption.

Bring-Your-Own-Keys (BYOK) for data-encryption converts cloud and SaaS (inherently un-trusted) environments into trusted environments.



Consider this: when your company is using a SaaS service, your company data is most likely sitting right next to some other company’s data – in the same table or in the same database. This means that if an attacker finds a way to compromise the SaaS provider’s database, your company data is compromised just as everyone else’s.

Enter BYOK. If the SaaS provider supports BYOK, your data is encrypted using the keys you own. Now, you are protected against a whole slew of attack vectors. You can revoke the keys at will. This is in the best interest of SaaS companies too. They can vastly reduce their exposure to risk.

Write this into contract
Before a company hands over the data to SaaS companies, it is in the company’s best interest to ensure the SaaS company is encrypting the data. Call out specific fields that must be encrypted and provide the SaaS company with BYOK key.

We agree, this is still few years out. But we need to start somewhere. Please share your thoughts in the comment box below.